De Raadt + FBSD + OpenSSH + hole?
RW
rwmaillists at googlemail.com
Sun Apr 20 21:00:43 UTC 2014
On Sun, 20 Apr 2014 15:00:28 -0400
Nathan Dorfman wrote:
> On Sun, Apr 20, 2014 at 2:31 PM, Jamie Landeg-Jones
> <jamie at dyslexicfish.net> wrote:
> > Once memory has been freed, I thought any attempt by a user process
> > to access it would cause a SIGSEV.
> >
> > I thought the issue was with programs that inadvertantly expose
> > (either to read or write) other parts of their active memory.
> >
> > Of course, if a process rolls it's own in-process implementation
> > of malloc/free, then this point is moot, but once you free memory
> > back to the system, isn't in no longer accessable anyway?
>
> free() doesn't usually "free memory back to the system." It just puts
> it back onto a "free list" managed by libc, entirely within the
> process's address space.
It can return the physical memory, but there are a couple of caveats.
Firstly, it can only return whole pages. Secondly, it's not returned
instantaneously to avoid the overhead of page-faults and zeroing pages
if that region is remalloced. It's left to the page-daemon to recover
the physical memory in its own time, and it remains readable by it's
previous process until it's reassigned.
More information about the freebsd-security
mailing list